Environment
Novell Access Management 3 Linux Novell Identity Server
Authentication enabled (LDAP, mutual, nmas and radius)
Situation
When authenticating to an Access Manager Identity server, it is
possible to maliciously inject a script to cause the authentication
to fail. We can dup this by sending the following request to the
Identity server, specifically targetting a vulnerability in the'IssueInstant' parameter as shown ...
GET /nidp/idff/sso?RequestID=1234&IssueInstant=
If an invalid IssueInstant parameter is passed in then the following error message is generated:
Unable to complete authentication request.
Cause/Code: Unable to parse provided XML date
Additionally in the error message it will print out the value passed in by the IssueInstant parameter.
The value should be HTML encoded to prevent the XSS vulnerability.
GET /nidp/idff/sso?RequestID=1234&IssueInstant=
If an invalid IssueInstant parameter is passed in then the following error message is generated:
Unable to complete authentication request.
Cause/Code: Unable to parse provided XML date
Additionally in the error message it will print out the value passed in by the IssueInstant parameter.
The value should be HTML encoded to prevent the XSS vulnerability.
Resolution
Apply the Identity server builds 3.0.0-1013 shipped with Access
Manager SP1 IR1. This patch will also be included in the Access
Manager 3 SP1 build. It fixes the issueInstant parameter for cross
site scripting issues by removing the malicious html content in the
message.